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(g) Enhanced call-back authentication method and apparatus. 

(g) A method and apparatus for remotely acces- 
sing a host computer from a remote location. 
The invention permits a user to remotely 
change a telephone number that allows the host 
computer to dial the user's current location. A 
user perfonns this change only after he has 
been strongly authenticated using a distributed 
user authentication protocol in addition to a 
simple user ID and password. This allows the 
user to move between locations and access the 
host computer, while the call-back feature pro- 
tects the host computer from unauthorized in- 
trusion. Also, a second registered user who 
does not have calj-back authority may gain 
access to the host computer through a user that 
has call-back authority. In this case the user 
with call-back authority-gainS:.entry into the' host 
computer and causes it to call the second 
registered user, who then enters a user; ID and 
password to gain entry to the host computer. 
The present invention may be implemented in , 
the host computer or in an interface coupled 
between the host computer and its nrradem. 



FIG. 2 



A USER USES A REMOTELY LOCAFEO 
COMPUTER AND ATTACHED MODEM TO 
CONNECT TO A HOST COMPUTER SYSTEM BY 
WAY OF A OIAL-IN MODEM 



THE USER ENTERS A USER tD AND 
PASSWORD WHEN HEOUESTED BY THE 
HOST COMPUTER SYSTEM . 



AFTER PASSING TM»S AUTHENTICATION 
CHECK. THE USER REQUESTS MODIFICATION 
TO THE REGISTERED PHONE NUMBER FOR 
CAUL-BACK 
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THE HOST COMPUTER SYSTEM 
- CHAUENGING QUESTIONS USING A 
DtSTRIBUTED USER AUTHENTICATION 
PROTOCOL. AND THE USER ANSWERS THESE 
CHALLENGES CORRECTLY, INCORRECTLY. OR 
WITH NO ANSWER IN A PREDETERMINED 
MANNER . . 



if the user passes the challenges 

of the distributed user 
authentk;ation protocol, the host 
computer system requests a new 
phone number to be stored in a fiije 
associated with the user o 
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THE HOST COMPUTER SYSTEM BREAKS THE 
TELEPHONE CONNECTION AND DIALS THE 
NEW REGISTERED PHONE NUMBER OF THE 
USER 



THE USER LOGS IN AND THE HOST 
COMPUTER SYSTEM CHECKS THE 

AUTHENTICATION CODE OF THE USER. 

AND IF (T IS CORRECT. THE TELEPHONE 
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BACKGROUND 

The present invention relates generally to nrieth- 
ods for remotely accessing a host computer system, 
and more particularly, to methods that [jrovide for re- 
motely accessing a host computer system from a plur- 
ality of remote sites by a single user 

To protect a host computer system from outside 
. intruders using a dial-in modem attached thereto, the 
host computer system may require useris to use a call- 
back procedure. A typical conventional call-back pro- 
cedure works ias fdlfows. A remote user of the host 
computer system registers a remote telephone nunv 
ber with the system administrator this renriote tele- 
phone number is one where the remote computer is 
located. Once the user is at the remote location, and 
after he signs on. the user provides a user identifica- 
tion code and password, then, the host computer 
system will call back to the user at the registered 
phone nurhber for further processing. 

However; in the conventional procedure, a single 
user identification code permits the use of only one 
registered telephone number If the user wants to use 
the host computer system from anottier location, he 
must register the hew number ahead of time. For a 
user who frequently travels to different remote loca- 
tions, this procedure does not permit him to switch tel- 
ephone number easily and quickly: In addition, even 
if the telephone numbers of remote locations are 
known ahead of time, only one number can be regis- 
tered at a time. 

Consequently, the existing procedure is too in- 
flexible to be widely used. It permits a user to use the 
system from one renriote location and from one regis- 
tered phone number For a user who nfipves around, 
he has no way to access the host computer system 
from various remote sites. 

Therefore it would be an advantage to have a re- 
mote access procedurethatperrhits a remote user to 
move between remote locations and easily arid quick- 
ly change the remote call-back telephone number to 
permit him to access the host corinputer system. 

SUMMARY OF THE INVENTION 

In order to provide for the above advantages, the 
present invention comprises a method that provides 
for remote accessing of a host computer system frorh 
a remote location. The method comprising the follow-, 
ing steps. A remote user uses a remotely located com- 
puter and an attached modem to connect to the host 
computer system by way of a dial-in modem connect- 
ed thereto. The remote user logs in by entering a user 
ID and password when requested by the host comput- 
er system. ■ ■ -:. ' 

After passing an authentication check by enter- 
ing the correct user ID and password, the remote user 



ber for cailrback . The host computer system sends 
challenging questions using a distributed user au- 
thentication protocol, and the remote user answers 
these challenging questions by providing correct an- 

5 swers. incorrect answers, or no answers in a prede- 
termined manner 

If the remote user passes the challenging ques- 
tions posed by the distributed user authentication 
protocol, the hostcomputersystemrequests the input 

JO of a new phone number that is stored in a file on the 
host computer system associated with the user ID of 
the remote user The host computer system breaks, 
the telephone connection and dials thei new regis- 
tered phone number of the remote user . 

15 The remote user again logs in arid the host conrv- 

puter systerh checks his authentication code, and if 
the authentication code is correct, the telephone con- 
nection is complete and the remote user has access 
to the host computer system. tJsing the present pror 

20 cedure, a user can riemotely call in. authenticate him- 
self using a distributed user authentication protocol, 
and change the risgistered phone number as fre- 
quently as it needs to be changed, while the host com- 
puter system maintains security through t he call-back 

25 mechanism. 

The present invention permits a user to remotely 
change the registered telephone number for himself 
such that the host computer system can dial-back to 
the current location of the user. A user may perform 

30 this change only after he has be^en strongly authen- 
ticated using the distributed user authentication pro- 
tocol in addition to simple user identification and 
password mechanism. This permits t he user to move 
around from one location to another and be able to ac- 

35 cess the. host computer system, which uses the call- 
back feature to protect itself from unauthorized intru- 
sion. 

The present invention also permits a first regis- 
' te red user to allow another authorized user to gain re- 
40 mote access to a host computer After the first user 
gains access to the host computer using the authen- 
tication procedure, the first user asks the computer to 
call a phone nunnber at a location of a second regisr 
tered user that does not have call-back authority. 
45 The authentication procedure of the present in- 

vention may also be implemented in an interface dis- 
posed between a modem and a host computer After 
a remote user passes the appropriate password 
checks, the interfacis calls back the user and cori- 
50 nects the remote user (or the second user) to the host 
coniputer This offers additional protection of the in- 
formation stored on the host computer such that in- 
truders cannot have direct access to any information 
that is stored in the host computer or in a remote lo- 
ss cation. 

the . present invention " is therefore more user 
friendly and more useful that the initially described 
conventlonar orocedure. For a user who nioves 
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around, using the preisent procedure, he has the abij: 
ity to access the host computer system from various 
remote sites. 

BRIEF DESCRIPTION OF THE DRAWINGS 5 



the host computer system 11 requests a new phone 
number to be stored in a file on the host computer sys- 
tem 11 for the user ID of the remote user 13. In. step 
. 26. the host computer system 11 breaks the tele- 
phone connection and dials the new registered phone 
number of the remote user 13. In step 27, the renwte 
user 13 logs in and the host computer system 11 
checks the authentication code of the remote user 
13, and if it is correct, the telephone connection is 
complete. . 

The above-described procedure 20 has been im- 
plemented on a SUN computer workstation and has 
been demonstrated to work well. Call connections 
from outside the facility where the SUN workstation 
(host computer 11 ) is located have been established 
from various locations by different users. A user's reg- 
istered phone number may be easily dianged using 
this procedure. Attempted intrusion into the host com- 
puter 11 has not been successful. 

The authentication procedure 20 of the present 
invention may also be implemented in the form of an 
interface 30 (shown in Fig. 1 that is disposed between 
the modem 12 and the host computer 11. After a re- 
niote user 13 passes the appropriate password 
checks, the interface 30 causes the modem 12 to call 
back the remote user 13 and connects the remote re- 
mote user 1 3 to the host computer 11. This offers ad- 
ditional protection of the information stored on the 
host computer 11 such that intruders cannot have di- 
rect access to any information that is stored in the 
host computer 1 1 or at a remote location that is acces- 
sible by the host computer 11 via the interface 30. 

The authentication procedure of the present in- 
vention also permits a registered user 13 to allow a 
second registered user 13a to gain remote access to 
the host computer system 11. After passing the tests 
of the present authentication procedure, the regis- 
tisred user 13 asks the computer 11 (or interface 30) 
to call a phone number at a second remote location 
17. such as a second remote nwdem 18 coupled to a 
second remote computer 19. This phone number may 
be at a location where the second authorized user 
13a is located. Teh second user 13a desires to con- 
nect to the host conhputer 1 1 , but is unable to because 
the user 1 3a is not registered for call-back authority. 

With reference to to Fig. 3, it shows a flow dia- . 
gram illustrating this second procedure 40 in accorr. 
dance with the principles of the present iiivention that 
provides for remote accessing of the host computer 
system 11 from a remote location by a second regts- 
teired user 1 3a that does not have call-back authority. . 
The second user 1 3a has a second computer 1 9 and 
a modem. 18 connected thereto. The procedure 40 
coniprises the following steps. In step 41, a reniote 
user 13 uses a computer 14 and attached modem 15 
to connect to the host computer system 11 by way of 
a djal-iri modem 12. In step 42. the remote user 13 en- 
ters a user ID and password when requested by the 



The various features and advantages of the pres- 
ent invention may be more readily understood with 
reference to the following detailed description taken 
in conjunction with the accompanying drawings, io. 
whei^ein like reference numerals designate like struc- 
tural elements, and in which: : . , 

Fig. i shows the apparatus reiquired to iriiplement 
a procedure in accordance with the principles of 
. the present in viention; and is 
Fig. 2 is a flow diagram illustrating one procedure 
in accordance with the pririciples of the present 
invention,. 

DETAILED DESCRIPTION 20 

Referring to Fig.. 1, it shows the apparatus 10 
used to implement a procedure in accordance with 
the principles of the present invention. The apparatus 
includes a host computer system 11 . that has a dial- 25 
in modem 12 connected thereto. A user 13 is located 
at a iremote location and has; a computer. 14, which 
may be a computer workstation or a terminal, for ex- 
ample. The computer 14 has a modem 1 5 conn ectisd 
thereto. The modem 1 5 and t he dial-in modem 1 2 are 30 . 
connected by way of telephone lines 16, for example, 
or other conventional communicatibris link. 

Referring to Fig. 2, it shovvs a flow diagram illus- 
trating one procedure 20 in accordance with the prin- 
ciples of the present invention that provides for re- 35 
mote accessing of the host computer s>rstem 11 from 
a remote location. The procedure 20 comprises the 
following ste;ps, which may also be referred to as a 
procedural algorithm. 

In step 21, a remote user 13 uses the computer 40 
14 and attached modem 15 to connect to the host 
computer system 11 by way of the dialTin modem 12. 
In step 22, the remote user 13 enters a user ID and 
password when requested by the host computer sys- 
tem il. In step 23, after passing this authisnticatiqn 45 
check, the reirote user 13 either requests modifica- 
tion to. the registered phone number for call- back or 
proceeds to step 25. . 

In step 24, the host computer system 11 sends 
challenging questions using a distributed user au- so 
theritication protocol, and the remote user 13 must 
answer these challenges correctly, incorrectly, or no 
answer in a predetermined rrianher. The distributed . 
user authentication protocol is described in detail in 
U.S. Patent Application Sisrial No. V \ 55 
'. .filed" . ' ■'• ■ \;7 ' *?'.'• ./ ^ ■■■ 

In step 25; if the remote user 13 passes the chal-. 
lenoes of the distributed user authentication protocoL . 
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host computer system 11. In step 43. after passing 
this authentication check, the remote user 13 enters 
a phone number of a second remote user 13a for call- 
back. 

In step 44. the host computer system 11 sends 
challenging questions using a distributed user au- 
thentication protocol, and the remote user 13 must 
answer these challenges correbtiy. incorrectly, or no 
answer in a predetermined manner. In step 45. if the 
remote user 13 passes the challenges of the distrib- 
uted user authentication protocol, the host computer 
systern 11 breaks the telephone connection and dials 
the phone number of the second remote user 13a. In 
step 46; the second remote user 13a logs in and the 
host computer system 11 checks the authentication 
code of the second renriote user 13a. and if it is cor- 
rect, the telephone connection. is complete. 

Thus theire has been described a new and im- 
proved method that provides for renr^otely accessing 
a host comjputer system from a plurality of remote 
sites by a single user. It is to be understood that the 
above-described embodiments are merely illustrative 
of some of the many specific embodinienls which rep- 
resent applications of the principles of t he present in- 
vention. Clearly, numerous and varied other arrange- 
ments may be readily devised by those skilled in the 
art without departing from the scope of the present in- 
vention. . . , 



Ciaims 

1. A method that provides for remote accessing of 
a tiost computer system from a remote location, 
said method comprising the following steps: 

a remote user uses a remotely located 
computer having an attached modem to connect 
to the host computer system by way of a modern 
connected thereto; , 

the remote user logs in by entering a user 
ID and password when requested by the host 
. computer system; : 
after passing an authentication check by 
entering the correct user ID ancl password, the 
remote user requests a nrlodification.to his regis- 
tered phone number for cajl-back; 

the host compiitersysteni sends challeng- 
ing questions using a distributed user authentica- 
tion protocol, and the remote user answers these 
challenging questions by providing correct an- 
swers, incorrect answers, or no answers in a pre- 
deier mined manner; 

if the remote user passes the challenging 
questions posed by the distributed user authen-. 
tication protocol, the host computer system re- 
quests, the input of a nevy phone number that is 
stored in a file on the host computer system as- 
cnris*tpH with the user ID of the remote user. 



the host computer system bireaks the tel- 
ephone connection and dials the new registered 
phone number of the remote user, and 

the remote user again logs in and the host 
5 computer system checks the authentication 

* code, and if the authentication code is correct. 

the telephone connection is complete and the re- 
" mote user has access to the host computer sys- 
:'tem. 

w , : . ' " ' 

2. The method of Claim 1 wherein the predeter- 
mined protocol is a predetermined distributed 
user authentication protocol. 

15 3. The method of Claim 1 wherein the user answers 
the challenging questions by providing correct . 
answers, incorrect answers, or no answers in a 
predetermined manner. 

20 4. A method that provides for reoKJte accessing of 
; . a host coniputier system from a remote location, 
said method comprising the following steps: 

a first remote user uses a remotely located 
computer having an attached modem to connect 
25 to the host computer system by way of a modem 

, connected thereto; 

the first remote user logs in t>y entering a 
user ID and password when requested l>y the 
host computer system; 
30 after passing an authentication check by 

entering the correct user ID and password, the 
first rerrwte user inputs; a phone numberof a sec- 
ond rerrwte user for call- back; 

the host computer system sends challeng- 
35 ing questions using a distributed user authentica- 

tion protocol, and the remote user answers these 
challenging questions by providing correct an- 
swers, incorrect answers, or no answers in a pre- 
determined manner, 
40 . if the first remote user passes the chal- 

lenging questions posed by the distributed user 
authentication protocol, the host computer sys- 
tem breaks the telephone connection arid dials 
the phone numberof the second renwte user and 
45 the second remote user logs in and the 

host computer system checks the authentication 
code, and if the authentication code is correct, 
the telephone connection is complete and the 
second remote user has access to the host com- 
50 puteir system. 

5. The method of Clainn 4 wherein the predeter- 
mined protocol is a predetermined distributed 
user authentication protocol. 

-.55 . . . ■ . . ' ■ ■ , - ; . . . 

,6. The method of Claim 4 wherein the user answers 
the challenging questions by providing correct 
answers, incorrect answers, or ho answers in a 
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predetermined manner. . 

Apparatus that provides. for remote accessing of 
a host computer system from a remote location, 
said apparatus comprising: . 

a first moderri attached to a first remotely 
located computer, 

a second modem for use by the host com- 
.puter system; 

an interface coupled between the . host 
computer and the second modem that imple- 
ments the following procedure: 

a rerriote user uses t he f irst remotely locat- 
ed computer and the first modeni to connect to 
the host computer system by way of the second 
modem and interface connected thereto; 

the remote user logs in by entering a user 
ID and password when requested by the inter- 
face; 

after passing an authentication check by 
entering the correct user ID and password, the in- 
terface sends challenging questions using a dis- 
tributed user authentication protocol, and the re- 
mote user answers these challenging questions 
by providing correct answers, incorrect answers, 
or no answers in a predetermined manner; 

if the remote user passes the challenging 
questions posed by the distributed user authen- 
tication protocol, the interface requests the input 
of a phone number that is stored in a file on the 
interface; 

the interface breaks the telephone con- 
nection and dials the phone number; and 

the remote user again logs in and the in- 
terface checks the authentication code, and if the 
authentication code is correct, the telephone 
connection is corhplete and the remote user hsis 
access to thehostcpmputersystem by wayof the 
interface. 

The apparatus of Claim 7 wherein after the re- 
mote user passes the authentication check by. 
entering the correct user ID and password,' the 
remote user requests a modification; to his regis- 
tered phone number for call-back, and wherein 
the requested phone number is stored in a file on 
the interface associated with the 'user ID of the 
remote user. ; \ . 



of the second user, the second user logs in. and 
the interface checks the second user's aiuthenti- 
catiori code, and if the authentication code is cor- 
rect, the telephone connection is complete and 
the second user has access to the host computer 
. system. „ 

10. The apparatus of Claim 8 wherein the predeter- 
. mined protocol is a predeteirmined distributed 
user authentication protocol 



11. 



15 



The apparatus of Claim 8 whierein the user an- 
swers the challenging questions by providing 
correct answers, incorrect ansvyers. or no an- 
swers in a predetermined rnanner. 



20 



25 



30 



35 



40 



45 



The apparatus oif Claim 7 wherein after the re- 
mote user passes the authentication check by, 
entering the correct user ID and password, the 
remote user requests a phone number for call- 
back that is aissociated with a second registered 
user, and if thei remote user passes the challeng-. 
ihg questions posed by the distributed user au- 
thentication protocol, the interface breaks the tel- 
ephone connection and dials the ohone number 
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FIG. 2 

A USER USES A REMOTELY LOCATED 
COMPUTER AND ATTACHED MODEM TO 
CONNECT TO A HOST COMPUTER SYSTEM BY 
WAY OF A DIA L-IN MODEM 

THE USER ENTERS A USER ID AND 
PASSWORD WHEN REQUESTED BY THE 
HOST COMPUTER SYSTEM 

-i: . 

AFTER PASSING THIS AUTHENTICATION 
CHECK. THE USER REQUESTS MODIFICATION 
TO THE REGISTERED PHONE NUMBER FOR 
CALL^ BACK 

THE HOST COMPUTER SYSTEM SENDS 
CHALLENGING QUESTIONS USING A 
DISTRIBUTED USER AUTHENTICATION 
PROTOCOL, AND THE USER ANSWERS THESE 
CHALLENGES CORRECTLY. INCORRECTLY. OR 
WITH NO ANSWER IN A PREDETERMINED 
MANNER 

^. i ■ ■ . 

IF THE USER PASSES THE CHALLENGES 
OF THE DISTRIBUTED USER 

AUTHENTICATION PROTOCOL. THE HOST 

. COMPUTER SYSTEM REQUESTS A NEW 
PHONE NUMBER TO BE STORED IN A FILE 
ASSOCIATED WITH THE USER ID 

THE HOST COMPUTER SYSTEM BREAKS THE 
TELEPHONE CONNECTION AND DIALS THE 
NEW REGISTERED PHONE NUMBER OF THE 
USER 

THE USER LOGS IN AND THE HOST 
: - COMPUTER SYSTEM CHECKS THE 
AUTHENTICATION CODE OF THE USER. 
AND IF iT IS CORRECT. THE TELEPHONE 
CONNECTION IS COMPLETED 
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FIG. 3 



A USER USES A REMOTELY LOCATED 
COMPUTER AMD ATTACHED MODEM TO 
CONNECT TO A HOSTCOMPUTER SYSTEM BY | ^ 41 
WAY OF A MODEM 



THE USER ENTERS A USER ID AND 
PASSWORD WHEN REQUESTED BY THE \^ ^2 
HOST COMPUTER SYSTEM 



AFTER PASSING THIS AUTHENTICATION 
CHECK. THE USER ENTERS A PHONE NUMBER 

OF A SECOND USER FOR CALL-BACK f ^43 



THE HOST COMPUTER SYSTEM SENDS 

CHALLENGING QUESTIONS USING A 
DISTRIBUTED USER AUTHENTICATION 
PROTOCOL, AND THE USER ANSWERS THESE }r~ 44 
CHALLENGES COiRiRECTLY. INCORRECTLY. OR 
; WITH NO ANSVVER IN A PREDETERMINED 
: . ,: MANNEPI 



IF THE USER PASSES THE CHALLENGES 

OF THE DISTRIBUTED USER 
AUTHENTICATION PROTOCOL. THE HOST 

COMPUTER SYSTEM BREAKS THE 
TELEPHONE CONNECTION AND DIALS THE |^45 
PHONE NUMBER OF THE SECOND USER 



THE SECOND USER LOGS IN AND THE 
HOST COMPUTER SYSTEM CHECKS THE |^ 46 

AUTHENTICATION CODE OF THE USER. 
AND IF IT IS CORRECT, THE TELEPHONE 
CONNECTION IS COMPLETED 
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